This post is about a topic that few of us ponder often: security architecture frameworks. We have some exciting research plans in this area, hence this blog series.
Perhaps one can say that dumb people think of boxes, smart people think of processes, wise people think of architectures? OK, I just made it up, so perhaps dumb people think of pithy oversimplifications of reality, no? 🙁
In any case, this post is a continuation of this one, where I asked about how people define “security architecture” in 2018. Today I want to remind people that “standard” security architecture frameworks do exist.
Widely-known [not the same as widely-used, mind you] examples include:
- SABSA (Sherwood Applied Business Security Architecture … and no, I don’t know what Sherwood stands for either, but presumably not the forest …)
- O-ESA (The OpenGroup Enterprise Security Architecture, definitely alive, but closed behind the paywall? [oh, look, the pot calling the kettle back :-)])
- OSA (Open Security Architecture, presumed dead by some)
On top of this, some “architecture-like” things can be found in NIST CSF (a lot, actually), ISO 2700x series and even in COBIT, if you look hard enough and use your architect’s eye.
But here is the punchline: does anybody care? More specifically, does anybody use them as foundations for their security architecture? Can security architecture frameworks even keep up with the evolution of IT? After all, there wasn’t much agile cloud mobile DevOps in the 1990s … Furthermore, we all know of people who use ISO series or NIST CSF (or NIST 800s) as control lists or policy advice, but perhaps not so many use them as architectural foundations…. If you do, please comment.
Posts related to this research:
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.